Share this with

Users of many popular email services have been warned to change their passwords, after it was revealed that the hacking attack which saw over 10,000 Hotmail account email addresses and passwords published online was also tageting other email services, including Gmail and Yahoo!

The passwords for the thousands of Hotmail accounts were posted online, and are thought to have been collected through a ‘phishing’ attack, in which email users are tricked into giving their details to what they think is a trustworthy source.

Password phishing: email users may have been tricked into revealing their details

Now the BBC is reporting that another list of over 20,000 email addresses and passwords is circulating, which contains passwords for Gmail, Yahoo! Mail, AOL, Comcast and Earthlink accounts.

The latest list was reportedly posted to the same site to which the Hotmail list was originally uploaded, Pastebin – a site intended for web developers to share code. Pastebin has since been taken down for maintainence by its owner.

Advertisement

Advertisement

Microsoft said that none of its servers was responsible for the security breach, and individuals were conned into handing over their details.

‘We are aware that some Windows Live Hotmail customers’ credentials were acquired illegally by a phishing scheme and exposed on a website,’ a Microsoft spokesman confirmed today.

News of the original scam broke yesterday when technology blog neowin.net reported an anonymous user had published confidential details on Pastebin.

The list detailed more than 10,000 accounts starting with the letters A and B – which suggested that further lists for the other letters may also exist.

Internet users are urged to change their passwords regularly, to be cautious when opening attachments and visiting links from emails, even when the source appears trsutworthy, and to ensure anti-virus software is up to date.

Lukas Oberhuber, chief technical officer, Forward Internet Group, said: ‘Phishing attacks are almost impossible to stop because they convince victims they are inputting their private details into a safe web site. It’s all about convincing people, which scammers have been doing forever.

‘Banks have done much more to protect against phishing than consumer web sites such as Hotmail, Gmail and Facebook. They’ve introduced measures such as onscreen keyboards and requesting security questions, so that an attacker might not get all the login details. However, all an attacker needs to do is create a fake web site and many of the security measures are defeated.

‘The online industry is attempting to educate the public on the dangers of phishing. But every site handles security differently. Ironically, Microsoft’s own form to recover a Hotmail account from the recent phishing attack looks exactly like a phishing form, requesting details such as date of birth and credit card expiry date.’